Page 1 of 1

windbg and SSDT

Posted: Sat Jul 06, 2013 2:29 pm
by WaxfordSqueers
I am a novice on Windbg so please go easy on me. :devil:

I was poking through the SSDT and came across addresses that seemed odd with no accompanying functions.

Check out bad60b30, which I have dumped partly below SSDT info.

Does this seem normal to you more experienced types, or is it something that needs further attention?

Code: Select all

804e26a8  8058fdf5 nt!NtAcceptConnectPort
804e26ac  805790f1 nt!NtAccessCheck
804e26b0  80587999 nt!NtAccessCheckAndAuditAlarm
804e26b4  80591130 nt!NtAccessCheckByType
804e26b8  8058da83 nt!NtAccessCheckByTypeAndAuditAlarm
804e26bc  8063807e nt!NtAccessCheckByTypeResultList
804e26c0  8063a207 nt!NtAccessCheckByTypeResultListAndAuditAlarm
804e26c4  8063a250 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
804e26c8  8057a6e4 nt!NtAddAtom
804e26cc  80649047 nt!NtQueryBootOptions
804e26d0  80637835 nt!NtAdjustGroupsToken
804e26d4  8058d0a1 nt!NtAdjustPrivilegesToken
804e26d8  8062f97c nt!NtAlertResumeThread
804e26dc  8057abcd nt!NtAlertThread
804e26e0  80588928 nt!NtAllocateLocallyUniqueId
804e26e4  806268ff nt!NtAllocateUserPhysicalPages
804e26e8  805dd3c9 nt!NtAllocateUuids
804e26ec  bad60b30
804e26f0  805d9767 nt!NtAreMappedFilesTheSame
804e26f4  805a24ba nt!NtAssignProcessToJobObject
804e26f8  804e2cb4 nt!NtCallbackReturn
804e26fc  8064905b nt!NtModifyBootEntry

lkd> db bad60b30
bad60b30  55 8b ec 81 ec 04 02 00-00 8b 0d 90 30 d6 ba 56  U...........0..V
bad60b40  57 8b 7d 08 8b 11 8d 45-08 6a 00 50 6a 00 52 68  W.}....E.j.Pj.Rh
bad60b50  80 00 00 00 57 ff 15 38-30 d6 ba 85 c0 0f 85 bb  ....W..80.......
bad60b60  00 00 00 8b 45 08 03 05-00 42 d6 ba 8b 00 89 45  ....E....B.....E
bad60b70  fc a1 dc 40 d6 ba 85 c0-0f 84 97 00 00 00 e8 37  [email protected]
bad60b80  1a 00 00 3b 45 fc 0f 84-89 00 00 00 8d 85 fc fe  ...;E...........
bad60b90  ff ff 50 e8 68 f7 ff ff-8b 55 08 8d 8d fc fd ff  ..P.h....U......
bad60ba0  ff 51 52 e8 98 f7 ff ff-8d 85 fc fd ff ff 50 6a  .QR...........Pj

lkd> u bad60b30

bad60b30 55              push    ebp
bad60b31 8bec            mov     ebp,esp
bad60b33 81ec04020000    sub     esp,204h
bad60b39 8b0d9030d6ba    mov     ecx,dword ptr ds:[0BAD63090h]
bad60b3f 56              push    esi
bad60b40 57              push    edi
bad60b41 8b7d08          mov     edi,dword ptr [ebp+8]
bad60b44 8b11            mov     edx,dword ptr [ecx]

Posted: Sat Jul 06, 2013 7:12 pm
by Kayaker
Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

Posted: Sun Jul 07, 2013 1:32 am
by WaxfordSqueers
Kayaker wrote:Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe
Thanks there Kayaker. Tracked it down in trusty old ice. Seems to be hooked by hcmon.sys, a vmware USB monitor for VM Player.

It was kind of stupid how I picked it up. I am still working the same problem with tracking notepad down to the MFT level. It happens via Shell32.dll and Shlwapi.dll mainly and there is a call from shell32 to k32!readfile. Unfortunately, something is loading notepad into the file cache and it gets read from there, so I tried loading every app I could to see if it would overwrite the cache. Normally, I don't use VM Player.